What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
SecurityAffairs.webp 2018-05-30 18:30:05 US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra (lien direct) The Department of Homeland Security (DHS) and the FBI issued a joint Technical alert on two strain on malware, the Joanap backdoor Trojan and Brambul Server Message Block worm, associated with the HIDDEN COBRA North Korea-linked APT group. The US-CERT alert reads: “Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators […] Medical APT 38
Kaspersky.webp 2018-05-30 14:59:01 Hidden Cobra Strikes Again with Custom RAT, SMB Malware (lien direct) The North Korean-sponsored actors are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files. APT 38
SecurityWeek.webp 2018-05-30 10:44:00 U.S. Attributes Two More Malware Families to North Korea (lien direct) The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra. Medical APT 38
The_Hackers_News.webp 2018-05-30 07:42:05 FBI issues alert over two new malware linked to Hidden Cobra hackers (lien direct) The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra. Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, Medical APT 38
Kaspersky.webp 2018-05-08 20:27:00 Sierra Wireless Patches Critical Vulns in Range of Wireless Routers (lien direct) The flaws would leave the enterprise devices helpless to a range of remote threats, including the charms of the Reaper IoT botnet. Cloud APT 37
DataSecurityBreach.webp 2018-05-03 13:48:02 La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus (lien direct) Les pirates informatiques du groupe Lazarus, annonçaient comme Nord-Coréens, auraient perdu un de leur serveur saisi par... L'article La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus est apparu en premier sur Data Security Breach. APT 38
itsecurityguru.webp 2018-04-30 12:25:04 Thailand seizes server linked to North Korean attack gang (lien direct) A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT. Thailand’s infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret. View full ... Medical APT 38 ★★
SecurityAffairs.webp 2018-04-30 08:06:04 Op GhostSecret – ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack (lien direct) The Thai authorities with the support of the ThaiCERT and security first McAfee have seized a server used by North Korean Hidden Cobra APT as part of the Op GhostSecret campaign. The Thai authorities with the support of the ThaiCERT have seized a server used by North Korean hackers in the attack against Sony Picture. […] Medical APT 38
Kaspersky.webp 2018-04-27 15:58:03 ThaiCERT Seizes Hidden Cobra Server Linked to GhostSecret, Sony Attacks (lien direct) It's analyzing the server, operated by the North Korea-sponsored APT, which was used to control the global GhostSecret espionage campaign affecting 17 countries. APT 38
mcafee.webp 2018-04-25 04:01:02 (Déjà vu) Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide (lien direct) McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, … Medical APT 38
mcafee.webp 2018-04-25 04:01:02 (Déjà vu) Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries (lien direct) McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive … Medical APT 38
SecurityAffairs.webp 2018-04-12 18:19:00 APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools (lien direct) The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group. The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions. The technique allows injecting a malicious code into a legitimate process, it allows execution […] APT33 APT 33
Kaspersky.webp 2018-04-12 14:50:02 New \'Early Bird\' Code Injection Technique Helps APT33 Evade Detection (lien direct) Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools. APT33 APT 33
Kaspersky.webp 2018-04-06 19:24:04 Mirai Variant Targets Financial Sector With IoT DDoS Attacks (lien direct) Researchers said a Mirai botnet variant, possibly linked to the IoTroop or Reaper botnet, was leveraged in attacks against the financial sector. Cloud APT 37
no_ico.webp 2018-04-06 17:15:05 Reaper Botnet (lien direct) The ISBuzz Post: This Post Reaper Botnet Cloud APT 37
SecurityWeek.webp 2018-04-06 14:54:05 Researchers Link New Android Backdoor to North Korean Hackers (lien direct) The recently discovered KevDroid Android backdoor is tied to the North Korean hacking group APT37, Palo Alto Networks researchers say. Cloud APT 37
SecurityWeek.webp 2018-04-06 12:08:04 New Strain of ATM Jackpotting Malware Discovered (lien direct) >A new type of ATM jackpotting malware has been discovered. Dubbed ATMJackpot, the malware appears to be still under development, and to have originated in Hong Kong. There are no current details of any deployment or use. ATMJackpot was discovered and analyzed by Netskope Threat Research Labs. It has a smaller footprint than earlier strains of jackpotting malware, but serves the same purpose: to steal money from automated teller machines (ATMs). ATM jackpotting -- also known as a logical attack -- is the use of malware to control cash dispensing from individual ATMs. The malware can be delivered locally to each ATM via a USB port, or remotely by compromising the ATM operator network. Jackpotting has become an increasing problem in recent years, originally and primarily in Europe and Asia. In 2017, Europol warned that ATM attacks were increasing. "The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately," said Steven Wilson, head of Europol's EC3 cybercrime center. The first attacks against ATMs in the U.S. were discovered in January 2018 following an alert issued by the Secret Service. In March 2018, the alleged leader of the Carbanak group was arrested in Spain. Carbanak is believed to have stolen around $1.24 million over the preceding years. Its method was to compromise the servers controlling ATM networks by spear-phishing bank employers, and then use foot soldiers (mules) to collect money dispensed from specific ATMs at specific times. It is not clear whether the ATMJackpot malware discovered by Netskope is intended to be manually installed via USB on individual ATMs, or downloaded from a compromised network. Physical installation on an ATM is not always difficult. In July 2017, IOActive described how its researchers could gain access to the Diebold Opteva ATM. It was achieved by inserting a metal rod through a speaker hole and raising a metal locking bar. From there they were able to reverse engineer software to get access to the money vault. Jackpotting malware is designed to avoid the need to physically break into the vault. It can be transferred via a USB port to the computer part of the ATM that controls the vault. Most ATMs use a version of Windows that is well understood by criminals. ATMJackpot malware first registers the windows class name 'Win' with a procedure for the malware activity.  The malware then populates the options on the window and initiates a connection with the XFS manager. The XFS subsystem provides a common API to access and manipulate the ATM devices from different vendors. The malware then opens a session with the service providers and registers to monitor events. It opens a session with the cash dispenser, the card reader and the PIN pad servic Guideline Cloud APT 37
SecurityAffairs.webp 2018-04-05 18:23:02 OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group (lien direct) Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group. The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign […] APT 32 ★★
SecurityWeek.webp 2018-04-05 16:59:01 Financial Services DDoS Attacks Tied to Reaper Botnet (lien direct) >Recorded Future's "Insikt" threat intelligence research group has linked the Mirai variant IoTroop (aka Reaper) botnet with attacks on the Netherlands financial sector in January 2018. The existence of IoTroop was first noted by Check Point in October 2017. At that point the botnet had not been used to deliver any known DDoS attacks, and its size was disputed. What was clear, however, was its potential for growth. In January 2018, the financial services sector in the Netherlands was hit by a number of DDoS attacks. Targets included ABN Amro, Rabobank and Ing; but at that time the source of the attack was unknown. Insikt researchers now report  that at least one these financial services attacks -- and possibly more -- was the first known use of IoTroop to deliver a DDoS attack. "IoTroop is a powerful internet of things (IoT) botnet," reports Insikt, "primarily comprised of compromised home routers, TVs, DVRs, and IP cameras exploiting vulnerabilities in products from major vendors including MikroTik, Ubiquity and GoAhead." The attack itself was not excessively high by modern standards. "The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s," reports Insikt -- far short of the 1.7Tb/s attack that occurred in February. If the IoTroop assumption is correct, it is clear the botnet has evolved extensively since its discovery last year. Fortinet's SVP products and solutions reported last month, "the Reaper [IoTroop] exploit was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive, in-place botnets to run new and more malicious attacks as soon as they become available." Insikt reports that the malware can use at least a dozen vulnerabilities and can be updated by the attackers as new vulnerabilities are exposed. "Our analysis," it says, "shows the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers to routers from Ubiquity, Cisco and ZyXEL. We also discovered Webcams, TVs and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link and Dahua." This list adds new devices now vulnerable to IoTroop in addition to those noted in the original October 2017 research -- which suggests, says Insikt, "a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices." Cloud APT 37
SecurityWeek.webp 2018-04-05 15:23:03 New macOS Backdoor Linked to Cyber-espionage Group (lien direct) >A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says. Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques. APT 32
ZDNet.webp 2018-04-05 10:59:01 New MacOS backdoor connected to OceanLotus threat group (lien direct) OceanLotus has been linked to attacks against human rights organizations, researchers, and more. APT 32
SecurityAffairs.webp 2018-04-05 09:22:01 North Korea-Linked Lazarus APT suspected for online Casino assault (lien direct) The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets. The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] Medical APT 38
SecurityWeek.webp 2018-04-04 17:40:00 North Korean Hackers Behind Online Casino Attack: Report (lien direct) >The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says. The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank. Said to be the most serious threat against banks, the group has shown increased interest in Medical APT 38
SecurityWeek.webp 2018-04-04 14:00:03 Breaches Increasingly Discovered Internally: Mandiant (lien direct) >Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant. The company's M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016. On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016. Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days). Dwell time data from Mandiant Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation. In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor. Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region. When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups. Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten). Conference APT33 APT 35 APT 33 APT 32 APT 34
SecurityWeek.webp 2018-04-03 18:30:03 New KevDroid Android Backdoor Discovered (lien direct) >Security researchers have discovered a new Android Remote Access Trojan (RAT) that can steal a great deal of information from infected devices. Dubbed KevDroid, the mobile threat can steal contacts, messages, and phone history, while also able to record phone calls, Talos reports. Two variants of the malware have been identified so far. One of the variants exploits CVE-2015-3636 to gain root access, but both implement the same call recording capabilities, taken from an open-source project on GitHub. Once it has infected a device, the first KevDroid variant can gather and siphon information such as installed applications, phone number, phone unique ID, location, stored contacts information, stored SMS, call logs, stored emails, and photos. Guideline Cloud APT 37
ESET.webp 2018-04-03 13:00:03 Lazarus KillDisks Central American casino (lien direct) >The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets. Medical APT 38
ErrataRob.webp 2018-03-29 22:25:24 WannaCry after one year (lien direct) In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago.It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry.Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit).Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour.However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely.We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop.Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading.Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti Medical Wannacry APT 38
SecurityWeek.webp 2018-03-22 15:30:01 (Déjà vu) Iran-linked Hackers Adopt New Data Exfiltration Methods (lien direct) An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered. The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in Guideline APT 34
SecurityWeek.webp 2018-03-21 11:29:00 (Déjà vu) 5 Fun Facts About the 2018 Singapore Cybersecurity Statute (lien direct) An orchard of cybersecurity law is growing in Asia. Now based in Singapore, your intrepid reporter is bumping into these cyber laws not as a participant (yet) but as an interested observer. Like the data-protection laws recently passed throughout the region, these cybersecurity regulations have a lot in common with each other.  Singaporeans are known for their discipline, so you can expect that their cybersecurity law will be among the best in the region.  Let your intrepid reporter summarize the statute, and also highlight 5 fun facts found within it. The Singapore Cybersecurity Statute On January 8, 2018, the Singapore government published Bill No. 2/2018, referred to as “the Cybersecurity Bill.” Local infosec professionals consider it, overall, a good bill, covering exactly the topics one would expect to see from the Singaporean government. After a first draft, lively debate ensued during the public commentary period, and the government folded the best suggestions into its final bill. The administration of the statute will be completed by a Cybersecurity Commissioner. This person will define many of the finer points of policy, which have been purposely left out of the framework.  The bill comprises three main themes: 1. Critical Infrastructure. The Cybersecurity Bill defines the criteria by which the commissioner should identify critical infrastructure (sections 7–9). These include 11 groupings of “essential services,” including aviation, banking, and healthcare. Fun Fact #1: The Philippine government is working on a similar project, called the “National Cybersecurity Plan 2022”, and word is that they copied the groupings, in order, from the Singaporean version. Nothing wrong with that, though. The local cybersecurity community applauds the Singapore bill's requirements for bi-annual audits and regular penetration tests. That's just good policy, so it might as well be a law; after all, this is Singapore. 2. Incident Response. Sections 19–23 define the powers the commissioner has to investigate, prevent, and respond to cybersecurity incidents. Fun Fact #2: Of interest is that the bill allows the designation of temporary technical experts, who will be issued cards identifying themselves as such. Your reporter personally finds this pretty cool, and would be tickled to be a card-carrying Singaporean crime fighter (temporarily) someday. He imagines himself holding up a badge and saying, with authority, “Everyone calm down, I'm here to help.” 3. Cybersecurity Service Providers. Sections 24–35 describe the governance of so-called cybersecurity service providers-penetration testers and security operations centers (SOCs). Perhaps the most significant aspect of the bill is Fun Fact #3: Provid Cloud APT 37
AlienVault.webp 2018-03-16 13:00:00 Things I hearted this week 16th March 2018 (lien direct) Last weekend, my daughter and I finally got around to watching Wonder Woman. We quite enjoyed it. There was a part in which Chris Pine’s character said, “My father told me once, he said, "If you see something wrong happening in the world, you can either do nothing, or you can do something". And I already tried nothing." So, I turned to my daughter and asked, "When you're older will you say awesome quotes and attribute them to your dad so I'll appear all knowing and wise?" She replied, "Yeah, I'll say 'my father told me if you see something wrong you can either do nothing, or send memes'". Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes. Operation Bayonet This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market. As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction! Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired How many devices are misconfigured… or not configured? I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways. Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe? How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner Hacking encrypted phones Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users. Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard Hidden Cobra on Turkish Banks Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017. Medical Equifax APT 38
SecurityWeek.webp 2018-03-15 03:15:04 Qrypter RAT Hits Hundreds of Organizations Worldwide (lien direct) Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says. The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called 'QUA R&D', which offers a Malware-as-a-Service (MaaS) platform. Also known as Qarallax, Quaverse, QRAT, and Qontroller, Forcepoint explains that Qrypter APT 32
SecurityWeek.webp 2018-03-15 03:01:04 New “HenBox” Android Malware Discovered (lien direct) A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns. Dubbed HenBox, the malware was observed installing the legitimate versions of apps it poses as to hide its presence on compromised devices. The threat is distributed via third-party app stores and mainly targets Uyghur, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in North West China, and Xiaomi devices. On the infected devices, HenBox can steal information from mainstream chat, communication, and social media apps. It gathers both personal and device information, can track the device's location, can access the microphone and camera, and harvests outgoing phone numbers with an “86” prefix (the country code for the People's Republic of China). Palo Alto's researchers discovered nearly 200 HenBox samples, the oldest dating back to 2015, but activity occured in the second half of 2017. A small but consistent number of samples has been observed this year as well. While analyzing the mobile threat, Palo Alto connected APT 32
SecurityWeek.webp 2018-03-14 16:39:02 (Déjà vu) Microsoft Patches Remote Code Execution Flaw in CredSSP (lien direct) A vulnerability (CVE-2018-0886) patched by Microsoft with its March 2018 security patches was a remote code execution flaw in the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM). This vulnerability can be exploited by an attacker to relay user credentials to execute code on a target system. The authentication provider, Microsoft explains, processes authentication requests for other applications, meaning that the vulnerability puts all applications that depend on CredSSP at risk. Preempt, which discovered the bug, explains APT 32
SecurityWeek.webp 2018-03-14 15:56:03 Combatting the Transformation of Cybercrime (lien direct) The volume of cyberattacks is growing at an unprecedented rate, increasing as much as nearly 80% for some organizations during the final quarter of 2017. One reason for this acceleration in the attack cycle is that in order for malware to succeed today it needs to spread further and faster than even before. This allows cybercriminals to stay a step ahead of new efforts by vendors to improve their delivery of updated signatures and patches.  But it's not just about volume. These attacks are also increasingly sophisticated, often spanning across malware families and using advanced techniques to simultaneously target multiple attack vectors. This enhanced focus on innovation, combined with the increased speed and volume at which new threat variants are being released into the wild, is successfully catching far too many organizations unprepared.  To keep your organization ahead of the threat curve, here are five recent trends you should be aware of: Cryptojacking  Cryptojacking is an important new trend among cybercriminals. The latest iteration involves injecting malicious JavaScript into vulnerable websites, or delivering it via phishing campaigns. Simply browsing an infected site can enable attackers to hijack CPU cycles to perform cryptomining on behalf of a cybercriminal. While such attacks initially hijacked all available CPU, causing machines to become virtually unusable, new, more sophisticated attacks, now monitor device CPU and rate limit the amount of processing power they leverage, often using 50% or less of available processing power at any given moment in order to evade detection. Cryptojacking can result in everything from annoying side effects such browser hang-ups and system crashes, to degraded network performance, sophisticated data theft, and increasingly, even the delivery of ransomware. IoT Botnets  IoT-based botnets also continue to dominate the threat landscape. But unlike the first generation of IoT attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime simultaneously target multiple vulnerabilities, making them much harder to combat. Even worse, because many IoT manufacturers don't have a PSIRT team in place, many of these attacks target known IoT vulnerabilities for which no CVE has been named, which means there is little opportunity to even report vulnerabilities when they are discovered, let alone prepare for them. To complicate things further, the Reaper exploit was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive, in-place botnets to run new and more malicious attacks as soon as they become available.  Ransomware Cloud APT 37
SecurityAffairs.webp 2018-03-14 15:15:02 OceanLotus APT is very active, it used new Backdoor in recent campaigns (lien direct) The OceanLotus APT group, also known as APT32 and APT-C-00, has been using a new backdoor in recently observed attacks. The OceanLotus Group has been active since at least 2013, according to the experts it is a state-sponsored hacking group linked to Vietnam, most of them in Vietnam, the Philippines, Laos, and Cambodia. The hackers targeting […] APT 32
SecurityWeek.webp 2018-03-14 03:00:02 SAP Patches Decade-Old Flaws With March 2018 Patches (lien direct) SAP this week released its March 2018 set of security patches to address High and Medium priority vulnerabilities in its products. A total of 10 Security Notes were included in the SAP Security Patch Day this month, three rated High priority and 7 considered Medium priority. Two of the Notes were updates for previously released Security Notes. SAP this month included 17 Support Package Notes in the Security Patch Day, for a total of 17 Security Notes, ERPScan (a company that specializes in securing Oracle and SAP applications) reports. 11 of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month. The most severe of the Security Notes addresses three vulnerabilities in SAP Internet Graphics Server (IGS) and carries a High priority rating (CVSS Base Score: 8.8). The bugs include CVE-2004-1308 (memory corruption), CVE-2005-2974 (denial of service), and CVE-2005-3350 (remot APT 32
SecurityWeek.webp 2018-03-13 17:58:05 "OceanLotus" Spies Use New Backdoor in Recent Attacks (lien direct) OceanLotus, a cyber-espionage group believed to be operating out of Vietnam, has been using a new backdoor in recently observed attacks, but also using previously established tactics, ESET reveals. Also known as APT32 and APT-C-00, the advanced persistent threat (APT) has been targeting high-profile corporate and government organizations in Southeast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The group is well-resourced and determined and is known to be using custom-built malware in combination with techniques long known to be successful. One of the latest malware families used by the group is a fully-fledged backdoor that provides operators with remote access to compromised machines, along with the ability to manipulate files, registries, and processes, as well as the option to load additional components if needed. For distribution purposes, OceanLotus uses a two-stage attack that employs a dropper to gain initial foothold on the targeted system and prepare the stage for the backdoor, ESET explains in a new report ( APT 32
ESET.webp 2018-03-13 08:55:02 OceanLotus ships new backdoor using old tricks (lien direct) To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind. Threat APT 32
SecurityAffairs.webp 2018-03-10 06:53:00 North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware (lien direct) McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey. North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system. Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted […] Medical APT 38
SecurityWeek.webp 2018-03-09 17:22:01 New North Korea-linked Cyberattacks Target Financial Institutions (lien direct) New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network. Medical APT 38
DataSecurityBreach.webp 2018-03-08 21:11:01 Chafer : un groupe de cyber attaquants basé en Iran (lien direct) Un groupe de pirates informatiques, baptisé Chafer s’attaquerait aux entreprises du monde entier. Des amateurs du blackmarket... L'article Chafer : un groupe de cyber attaquants basé en Iran est apparu en premier sur Data Security Breach. Prediction APT 39
mcafee.webp 2018-03-08 14:00:03 Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant (lien direct) This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.  On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra's Bankshot malware implant surfacing in the Turkish financial … Medical APT 38 ★★★
SecurityWeek.webp 2018-03-01 19:06:00 Iran-Linked Chafer Group Expands Toolset, Targets List (lien direct) The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns. Prediction APT 39
Blog.webp 2018-03-01 15:32:02 Iran Taps Chafer APT Group amid Civil Aviation Crisis (lien direct) Iran’s Chafer hacking group is targeting aviation repair and maintenance firms in an apparent effort to obtain information needed to shore up the safety of that country’s fleet of domestic aircraft, according to research by the firm Symantec. When an Aseman Airlines flight crashed in bad weather in a mountainous region of southern Iran...Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/529622610/0/thesecurityledger -->» Prediction APT 39
Trend.webp 2018-02-28 10:09:00 Cryptocurrency-Mining Malware: 2018\'s New Menace? (lien direct) Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention - so much so that it appears to keep pace with ransomware's infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017. What started out in mid-2011 as an afterthought to main payloads such as worms and backdoors has evolved into such an effective way to profit that even cyberespionage and ransomware operators, and organized hacking groups are joining the bandwagon. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Cryptocurrency-Mining Malware: 2018's New Menace? APT 38
SecurityAffairs.webp 2018-02-27 18:54:05 Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals (lien direct) Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability. Threat actors are exploiting the use-after-free flaw to deliver malware. The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted […] Cloud APT 37
SecurityAffairs.webp 2018-02-24 09:18:03 Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks (lien direct) According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE. The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East. […] APT 34
SecurityWeek.webp 2018-02-23 18:38:01 Iranian Hackers Use New Trojan in Recent Attacks (lien direct) The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports. APT 34
SecurityWeek.webp 2018-02-21 15:20:05 North Korea Cyber Threat \'More Aggressive Than China\': US Firm (lien direct) North Korean hackers are becoming more aggressive than their Chinese counterparts, a leading US cybersecurity firm warned Tuesday, as it identified a Pyongyang-linked group as an "advanced persistent threat". Guideline Cloud APT 37
itsecurityguru.webp 2018-02-21 14:07:03 Reaper: Little-known North Korean hacker group steps up attacks in Vietnam, Japan and Middle East (lien direct) A lesser-known North Korean cyberespionage group has been rapidly widening its scope and skills to step up attacks beyond the Korean Peninsula to include Japan, Vietnam and the Middle East in 2017, security researchers have said. According to cybersecurity firm FireEye, the shadowy hacker group dubbed APT37 or Reaper has been active since 2012 and ... Cloud APT 37 ★★★★
Last update at: 2024-06-30 15:08:07
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter